Ransomware authors are profiting from the rise of the cryptocurrency -- but it 's also bringing some unexpected problems for them and other dark web operators . The value of bitcoin has soared in recent days : at the one point the cryptocurrency was worth almost $ 19,000 before it dropped back to around $ 16,500 , where it has roughly remained since . It 's almost impossible to predict what will happen next . The price of bitcoin could rise again or it could crash -- but , for now at least , a single unit of the cryptocurrency is worth a significant amount of money . Bitcoin has become the popular payment method for ransomware over the last two years , as the digital currency provides cybercriminals with a means of collecting ransoms Attack.Ransom , while also making it difficult to get the ransom-collectors ' identities , thanks to the level of anonymity it offers . WannaCry Attack.Ransom , the biggest ransomware event of the year , for example , hit Attack.Ransom hundreds of thousands of PCs around the globe , encrypting files and demanding a payment Attack.Ransom of $ 300 in bitcoin for the safe return of what was stored on the machine . In this instance , the ransomware code itself was poorly written and the vast majority of victims were able to restore their systems without giving into the demands Attack.Ransom of the cyber-attackers . However , by the time those behind WannaCry Attack.Ransom had withdrawn funds from the associated Bitcoin wallets -- a full three months after the attack -- it meant the 338 payments Attack.Ransom victims had made were worth around $ 140,000 , which was an increase in value of just under $ 50,000 compared to when the majority of payments were made Attack.Ransom . If those behind WannaCry Attack.Ransom have held onto their illicit investment , they could now be sitting on over $ 1m of bitcoin . But the sudden spike in bitcoin could actually be problematic for some cybercriminals . Before the surge in value , 1 or 0.5 bitcoin was a common ransom demand Attack.Ransom , with the idea that if the fee was low enough -- back then the ransom value worked out at a few hundred dollars -- this would encourage the victim to pay up Attack.Ransom . Even as the value of bitcoin steadily rose during the summer , some attackers were still using the standard amounts of cryptocurrency as their ransom demand Attack.Ransom . For example , Magniber ransomware demanded a payment Attack.Ransom of 0.2 bitcoin ( $ 1,138 in mid-October ) , rising to 0.4 bitcoin ( $ 2,275 in mid-October ) if the payment wasn't received Attack.Ransom within five days . Two months later , 0.2 bitcoin is currently worth $ 3,312 while 0.4 bitcoin is up to $ 6,625 . Many forms of ransomware already ask for the payment Attack.Ransom of a specified amount of dollars to be made in bitcoin . While it pins hopes on victims being able to buy a specific amount of bitcoin and successfully transfer the payment -- which some criminal gangs get around by manning help desks providing advice on buying cryptocurrency -- it 's more likely to result in the victim paying up Attack.Ransom , especially if the figure is just a few hundred dollars . `` I imagine the volatility of bitcoin pricing has been an unexpected problem for cybercriminals . The average ransom demand Attack.Ransom has remained somewhere between $ 300 to $ 1000 , and normally the ransom note will specify a USD amount , '' Andy Norton , director of threat intelligence at Lastline , told ZDNet . It is n't just ransomware distributors who might be faced with the problem of valuing items in pure bitcoin : a Dark Web vendor -- whether they are selling malware , weapons , drugs , or any other illegal item -- might find that setting their price in pure bitcoin will quickly result in them pricing themselves out of the market . With bitcoin prices continuing to rise , sophisticated cybercriminal operators can likely react to it , altering prices on a day-to-day basis to ensure that they 're able to sustain their business . Criminals are trying out alternative pricing models for ransomware already . Some criminals already operate around the idea that they charge Attack.Ransom victims just enough so that they do n't see the ransom Attack.Ransom as too much to pay Attack.Ransom -- and that often depends on the country the victims are in . The Fatboy ransomware payment scheme charges Attack.Ransom victims in poorer countries less than those in richer ones . Meanwhile , those behind Scarab ransomware have started asking Attack.Ransom victims to suggest a payment amount Attack.Ransom for receiving the encryption key for their files .

The Necurs botnet has , once again , begun pushing Locky ransomware on unsuspecting victims . The botnet , which flip-flops from sending Attack.Phishing penny stock pump-and-dump emails to booby-trapped files that lead to malware ( usually Locky or Dridex ) , has been spotted slinging Attack.Phishing thousand upon thousand of emails in the last three or four days . “ Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky , ” Cisco Talos researchers noted on Friday . In the first part of the spam campaign , the emails contain no text except in the Subject line , which simply says “ Receipt ” or “ Payment ” , followed by random numbers . Those numbers are seen again in the name of the attached PDF file ( as seen in the screenshot above ) . Later , the emails were made to look like Attack.Phishing they contained a scanned image in PDF format for the recipient to peruse . In both cases , the attached PDF contains embedded Word documents with macros , and in order for them to be opened and run the aforementioned macros , users are required to enable them . This is achieved through subterfuge : the victims are shown a note saying that the document is protected , and that they have to “ Enable editing ” in order to view it . Before that , the victims are also prompted to allow the opening of the file – a step that ’ s required for the malware to bypass the protection offered by the program ’ s sandbox . “ The word document itself contains an XOR ’ d Macro that downloaded the Locky sample from what is likely a compromised website , ” the researchers explained , noting that the DNS requests associated with the domain serving the malware have been spiking , but that it ’ s difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign . Users who go through through all the motions required to serve the malware will end up with their files encrypted and the .osiris extension added to them . The criminals behind the ransomware are asking for Attack.Ransom 0.5 Bitcoin ( around $ 620 ) in order to decrypt the files . Unfortunately for them , there is currently no way to decrypt the files without paying the ransom Attack.Ransom , so they ’ ll need to choose between losing the files ( if they have no backup ) or paying up Attack.Ransom ( although there is no guarantee that the crooks will keep their word ) .

FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10 . FIN10 is known for compromising Attack.Databreach networks , stealing Attack.Databreach sensitive data , and directly engaging victim executives and board members in an attempt to extort Attack.Ransom them into paying Attack.Ransom between 100 and 500 bitcoins ( valued at between $ 125,000 and $ 620,000 as of mid April 2017 ) . For some victims that did not give into the demand Attack.Ransom , FIN10 escalated their operation and destroyed critical production systems and leaked Attack.Databreach stolen data to journalists in an attempt to increase visibility of the compromise and coerce victims into paying up Attack.Ransom . The first known FIN10 operation was in 2013 and their operations have continued until at least 2016 . To date , we are primarily aware of Canadian victims – specifically casinos and mining organizations . Given the release of sensitive victim data , extortion Attack.Ransom , and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far .

The malware asks for Attack.Ransom 222 Bitcoin but will not honor promises to decrypt files after payment is made Attack.Ransom . The cost of ransomware reached close to $ 1 billion in 2016 , and it 's not hard to see why . The malware family , which targets everything from Windows to Mac machines , executes procedures to encrypt files and disks before demanding a ransom payment Attack.Ransom in return for keys to decrypt and unlock compromised machines . However , it is not only the general public which is being targeted with everything from hospitals to schools and businesses now in the firing line . As the prospect of losing valuable content on computer systems or facing widespread disruption to business operations is often too much to bear , many will simply give up and give in , paying the fee and unfortunately contributing to the cybercriminal 's operations . However , paying up Attack.Ransom does not guarantee that victims will get their files back , no matter how low or high the payment demand Attack.Ransom . This week , ESET researchers discovered that a Linux variant of KillDisk , linked to attacks against core infrastructure system in Ukraine in 2015 , is now being used against fresh Ukrainian financial targets . The ransomware demands Attack.Ransom a huge amount of money , but there is no underwritten protocol for decryption keys to be released once payment is made Attack.Ransom . Distributed through phishing campaigns Attack.Phishing targeting both Windows and Linux , once downloaded , the ransomware throws up a holding page referring to the Mr . Robot television show while files are being encrypted , the research team said in a blog post . Unsurprisingly , no-one has paid up yet , nor should they , ever . `` This new variant renders Linux machines unbootable , after encrypting files and requesting a large ransom Attack.Ransom , '' ESET says . `` But even if victims do reach deep into their pockets , the probability that the attackers will decrypt the files is small . '' Files are encrypted using Triple-DES applied to 4096-byte file blocks and each file is encrypted using different sets of 64-bit encryption keys . However , the ransomware does not store encryption keys either locally or through a command-and-control ( C & C ) server , which means that affected systems after reboot are unbootable , and paying the ransom Attack.Ransom is pointless . `` It is important to note -- that paying the ransom demanded Attack.Ransom for the recovery of encrypted files is a waste of time and money , '' the team said . `` Let us emphasize that -- the cyber criminals behind this KillDisk variant can not supply their victims with the decryption keys to recover their files , despite those victims paying Attack.Ransom the extremely large sum demanded Attack.Ransom by this ransomware . '' There is a weakness in the encryption used by the ransomware , which makes recovery possible -- at least when it comes to Linux infections . Earlier this week , researchers at Check Point revealed the latest exploits of the GoldenEye ransomware , a strain of malware which is targeting German HR companies . The malware is contained in phishing emails which appear to be from job applicants , and once downloaded and installed , demands Attack.Ransom $ 1000 in Bitcoin to unlock infected systems